Allow overriding secure cookies for local development

CSRF and session cookies are configured to use the secure flag, i.e.
only send the cookies over HTTPS.

Chrome seems to ignore the secure flag when the origin is localhost,
which is why it hasn't been much of problem before now, but Safari
(correctly) does not set the cookie after login.

By making it an environment variable we can override for local
environments.

Author: MatMoore

manage_breast_screening/config/.env.tpl

@@ -11,6 +11,9 @@ DATABASE_HOST=localhost
 LOG_QUERIES=0
 PERSONAS_ENABLED=1
 
+CSRF_COOKIE_SECURE=False
+SESSION_COOKIE_SECURE=False
+
 # Set to FQDN in deployed environments
 BASE_URL=http://localhost:8000
 

manage_breast_screening/config/settings/base.py

@@ -37,8 +37,8 @@ def list_env(key):
 ALLOWED_HOSTS = list_env("ALLOWED_HOSTS")
 CSRF_TRUSTED_ORIGINS = list_env("CSRF_TRUSTED_ORIGINS")
 
-CSRF_COOKIE_SECURE = True
-SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = boolean_env("CSRF_COOKIE_SECURE", default=True)
+SESSION_COOKIE_SECURE = boolean_env("SESSION_COOKIE_SECURE", default=True)
 # SECURE_SSL_REDIRECT is set to False because TLS termination is handled at the Azure Container Apps layer
 SECURE_SSL_REDIRECT = False